GDPR & data
How we handle personal data, the rights you have over it, and the promises we hold ourselves to. SATS LION is built data-minimal and to the UK Children's Code.
Last updated: May 2026.
SATS LION Ltd is a company registered in England and Wales, and is the data controller for the limited personal data we hold about the adults who open accounts with us. We take the protection of children's data seriously, and we have designed the product so that there is very little personal data to protect in the first place. This page explains our approach to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the choices we have made, and how you can exercise your rights.
This page is a plain-English summary of our data-protection approach. It sits alongside our full Privacy Policy, which carries the detail of what we collect and why. Where the two cover the same ground, read them together. If anything here is unclear, please write to us at privacy@satslion.com and we will explain.
1. Our commitment and principles
We treat data minimisation as a design rule, not an afterthought. A learner profile in SATS LION carries no more than a first name and a year group. We do not ask children for an email address, a full name, a date of birth, a photograph, a phone number, or a home address. The contactable identity always belongs to an adult: a parent or a member of school staff who holds the account and consents on the child's behalf.
We hold ourselves to the core principles of UK GDPR in the following way:
- Lawfulness, fairness and transparency. We only process data where we have a lawful basis, and we tell you in plain language what we do and why.
- Purpose limitation. We collect data for the specific purpose of running a revision programme (showing the right questions, tracking progress, and keeping accounts secure) and we do not repurpose it for unrelated uses.
- Data minimisation. We collect the least we can, and we resist the temptation to gather data simply because it might one day be useful.
- Accuracy. Account holders can correct their details, and a learner's first name and year group can be updated at any time.
- Storage limitation. We keep data only as long as the account is active or as the law requires, and we delete or anonymise it after that.
- Integrity and confidentiality. We protect data with encryption in transit, access controls, and a small number of trusted, contracted providers.
We do not run advertising, we do not use advertising or behaviour-tracking SDKs, and we never sell personal data. There is no commercial incentive for us to gather more than we need, and that is deliberate.
2. Why we are allowed to process data
For parent (B2C) accounts, our lawful basis for the core service is the performance of a contract: you ask us to provide the revision programme, and we need a small amount of data to do that. Where we go beyond what the contract strictly requires, for example optional product emails, we rely on your consent, which you can withdraw at any time.
For school accounts, the school decides the purpose of the processing and instructs us to carry it out, so our role and lawful basis are framed by the data processing agreement described below. Schools typically rely on the public task or legitimate interests basis for educational use; we follow the school's lawful basis as its processor.
3. For schools: we act as your data processor
When a school uses SATS LION with its pupils, the school is the data controller and SATS LION Ltd acts as a data processor on the school's behalf. This means the school decides why and how pupil data is used, and we process that data only on the school's documented instructions. We do not use pupil data for our own purposes, and we do not market to pupils.
A written data processing agreement (DPA) is available on request, and we recommend that every school puts one in place before rolling the product out. Our DPA covers the matters required by Article 28 of UK GDPR, including:
- the subject matter, duration, nature and purpose of the processing;
- the categories of data subjects and the types of personal data;
- our duty to act only on the school's instructions;
- confidentiality commitments from staff and contractors who handle data;
- the security measures we maintain;
- the rules and approvals that apply before we engage any sub-processor;
- our support for the school in responding to data subject requests and meeting its own obligations;
- our commitments on the return or deletion of data at the end of the engagement, and on audits.
Schools can request the DPA, and any related documentation such as a record of processing summary, by writing to schools@satslion.com or privacy@satslion.com.
4. Where data is stored
We host the service on infrastructure located in the European Union wherever possible, and we prefer providers that can keep data within the UK or the EU. This keeps personal data within a region that the UK recognises as offering an adequate level of protection, and avoids unnecessary international transfers.
If a specific function ever requires a provider outside the UK or the EU, we will only use it where an appropriate safeguard is in place, such as UK adequacy regulations, the UK extension to the EU Standard Contractual Clauses, or the International Data Transfer Agreement. We will keep this page and our Privacy Policy up to date if our hosting arrangements change.
5. Sub-processors
To run the service we rely on a small number of trusted third-party providers, known as sub-processors. We keep this list deliberately short, and we only engage providers who can meet our security and data-protection standards under a written contract. The categories of sub-processor we use are:
- Cloud hosting and database infrastructure, which stores account and progress data and serves the application.
- Payments and subscription management, which processes parent subscriptions; card details are handled by the payment provider and are not stored by us.
- Essential operational services such as transactional email (for example, account and password messages) and privacy-respecting error monitoring.
We maintain a current list of the specific sub-processors we use, and we will provide it on request to account holders and to schools considering the product. Write to privacy@satslion.com and we will share the up-to-date list, along with the role each provider plays.
6. Your rights, and a child's rights
Under UK GDPR, data subjects have a set of rights over their personal data. Because the contactable account holder is an adult, a parent or a school exercises these rights, including on behalf of the child whose learning data is held. Those rights include:
- The right to be informed about how data is used, which this page and our Privacy Policy set out.
- The right of access to the personal data we hold.
- The right to rectification of data that is inaccurate or incomplete.
- The right to erasure of data in the circumstances the law allows.
- The right to restrict or object to processing in certain situations.
- The right to data portability for data you provided to us, where it applies.
- Rights related to automated decision-making. We do not make decisions with legal or similarly significant effects about a child by automated means.
To exercise any of these rights, write to privacy@satslion.com from the email address on the account, or ask through your school if the account is held by a school. We will respond within one month, as the law requires, and we will not charge a fee for a reasonable request. We may need to confirm your identity first, so that we do not disclose a child's data to the wrong person.
7. Raising a concern, and contacting the ICO
If you have a question or a concern about how we handle personal data, please contact us first at privacy@satslion.com. We would always prefer to put something right directly, and we will take your concern seriously and respond promptly.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data-protection regulator, at any time. You can reach the ICO through its website at ico.org.uk or by telephone on its public helpline. Raising a concern with us does not affect your right to contact the ICO.
8. How this connects to the UK Children's Code
SATS LION is designed for children, so we build to the Age Appropriate Design Code (the UK Children's Code). The best interests of the child are the primary consideration in how we design and run the product, and our data-minimal approach is the most direct expression of that.
In practice this means:
- a learner profile holds no more than a first name and year group, with no contact details;
- an adult, a parent or a school, opens and controls the account and consents on the child's behalf;
- settings are high-privacy by default, with no behavioural advertising and no data selling;
- we do not use nudge techniques to push children into giving up more data or weakening their privacy;
- our content is curriculum-aligned to the KS2 statutory framework and human-reviewed, so that what a child spends time on is genuinely educational.
We keep our approach under review as guidance from the ICO and the wider regulatory picture develops, and we will update this page when our practices change.
At a glance
Data-minimal by design
A learner profile carries no more than a first name and year group. No ads, no data selling, ever.
A processor for schools
Schools stay the data controller. We process on documented instructions, and a DPA is available on request.
EU-hosted where possible
We keep data in the UK or EU wherever we can, and use proper safeguards for any transfer beyond it.
Built to the Children's Code
High-privacy defaults, the child's best interests first, and curriculum-aligned, human-reviewed content.
Common questions
Do you collect any personal data about my child?
A learner profile holds only a first name and a year group, which together help us show the right work and address your child by name. We do not ask a child for an email address, a full name, a date of birth, a photo, or any contact details. The account and all contact details belong to you as the adult.
Is SATS LION the data controller or a data processor?
It depends on the account. For parent accounts we are the data controller for the limited account data we hold. For school accounts the school is the controller and we act as its data processor, handling pupil data only on the school's documented instructions.
Can our school get a data processing agreement?
Yes. A written DPA covering the Article 28 requirements is available on request. Email schools@satslion.com or privacy@satslion.com and we will provide it, along with supporting documentation, before you roll the product out.
Who are your sub-processors?
We use a small number of providers in categories such as cloud hosting and database infrastructure, payments and subscription management, and essential operational services like transactional email and error monitoring. We keep a current list of the specific providers and will share it on request.
How do I exercise my data rights or make a complaint?
Write to privacy@satslion.com from the email on your account, or ask through your school, and we will respond within one month. You also have the right to complain to the Information Commissioner's Office at ico.org.uk at any time.
Have a data question?
Write to privacy@satslion.com, or ask about a school data processing agreement. We answer plainly and promptly.